Wednesday, June 17, 2009

xinetd Configuration Files

xinetd Configuration Files

The configuration files for xinetd are as follows:

  • /etc/xinetd.conf — The global xinetd configuration file.

  • /etc/xinetd.d/ directory — The directory containing all service-specific files.

The /etc/xinetd.conf File

The /etc/xinetd.conf contains general configuration settings which effect every service under xinetd's control. It is read once when the xinetd service is started, so in order for configuration changes to take effect, the administrator must restart the xinetd service. Below is a sample /etc/xinetd.conf file:

defaults
{
       instances               = 60
       log_type                = SYSLOG authpriv
       log_on_success          = HOST PID
       log_on_failure          = HOST
       cps                     = 25 30
}
includedir /etc/xinetd.d

These lines control various aspects of xinetd:

  • instances — Sets the maximum number of requests xinetd can handle at once.

  • log_type — Configures xinetd to use the authpriv log facility, which writes log entries to the /var/log/secure file. Adding a directive such as FILE /var/log/xinetdlog here would create a custom log file called xinetdlog in the /var/log/ directory.

  • log_on_success — Configures xinetd to log if the connection is successful. By default, the remote host's IP address and the process ID of server processing the request are recorded.

  • log_on_failure — Configures xinetd to log if there is a connection failure or if the connection is not allowed.

  • cps — Configures xinetd to allow no more than 25 connections per second to any given service. If this limit is reached, the service is retired for 30 seconds.

  • includedir /etc/xinetd.d/ — Includes options declared in the service-specific configuration files located in the /etc/xinetd.d/ directory. Refer to Section 15.4.2 The /etc/xinetd.d/ Directory for more information about this directory.

Note Note

Often, both the log_on_success and log_on_failure settings in /etc/xinetd.conf are further modified in the service-specific log files. For this reason, more information may appear in a given service's log than this file may indicate. See Section 15.4.3.1 Logging Options for more about logging options.

The /etc/xinetd.d/ Directory

The files in the /etc/xinetd.d/ directory contains the configuration files for each service managed by xinetd and the names of the files correlate to the service. As with xinetd.conf, this file is read only when the xinetd service is started. In order for any changes to take effect, the administrator must restart the xinetd service.

The format of files in the /etc/xinetd.d/ directory use the same conventions as /etc/xinetd.conf. The primary reason the configuration for each service is stored in separate file is to make customization easier and less likely to effect other services.

To get an idea of how these files are structured, consider the /etc/xinetd.d/telnet file:

service telnet
{
       flags           = REUSE
       socket_type     = stream
       wait            = no
       user            = root
       server          = /usr/sbin/in.telnetd
       log_on_failure  += USERID
       disable         = yes
}

These lines control various aspects of the telnet service:

  • service — Defines the service name, usually to match a service listed in the /etc/services file.

  • flags — Sets any of a number of attributes for the connection. REUSE instructs xinetd to reuse the socket for a Telnet connection.

  • socket_type — Sets the network socket type to stream.

  • wait — Defines whether the service is single-threaded (yes) or multi-threaded (no).

  • user — Defines what user ID the process process will run under.

  • server — Defines the binary executable to be launched.

  • log_on_failure — Defines logging parameters for log_on_failure in addition to those already defined in xinetd.conf.

  • disable — Defines whether or not the service is active.

Altering xinetd Configuration Files

There are a large assortment of directives available for xinetd protected services. This section highlights some of the more commonly used options.

Logging Options

The following logging options are available for both /etc/xinetd.conf and the service-specific configuration files in the /etc/xinetd.d/ directory.

Below is a list of some of the more commonly used logging options:

  • ATTEMPT — Logs the fact that a failed attempt was made (log_on_failure).

  • DURATION — Logs the length of time the service is used by a remote system (log_on_success).

  • EXIT — Logs the exit status or termination signal of the service (log_on_success).

  • HOST — Logs the remote host's IP address (log_on_failure and log_on_success).

  • PID — Logs the process ID of the server receiving the request (log_on_success).

  • RECORD — Records information about the remote system in the case the service cannot be started. Only particular services, such as login and finger, may use this option (log_on_failure).

  • USERID — Logs the remote user using the method defined in RFC 1413 for all multi-threaded stream services (log_on_failure and log_on_success).

For a complete list of logging options, consult the xinetd.conf man page.

Access Control Options

Users of xinetd services can choose to use the TCP wrappers hosts access rules, provide access control via the xinetd configuration files, or a mixture of both. Information concerning the use of TCP wrappers hosts access control files can be found in Section 15.2 TCP Wrappers Configuration Files. This section discusses using xinetd to control access to services.

Note Note

Unlike TCP wrappers, changes to access control only take effect if the xinetd administrator restarts the xinetd service.

The xinetd hosts access control differs from the method used by TCP wrappers. While TCP wrappers places all of the access configuration within two files, /etc/hosts.allow and /etc/hosts.deny, each service's file in /etc/xinetd.d can contain its own access control rules.

The following hosts access options are supported by xinetd:

  • only_from — Allows only the specified hosts to use the service.

  • no_access — Blocks listed hosts from using the service.

  • access_times — Specifies the time range when a particular service may be used. The time range must be stated in 24-hour format notation, HH:MM-HH:MM.

The only_from and no_access options can use a list of IP addresses or host names, or can specify an entire network. Like TCP wrappers, combining xinetd access control with the enhanced logging configuration can enhance security by blocking requests from banned hosts while verbosely record each connection attempt.

For example, the following /etc/xinetd.d/telnet file can be used to block Telnet access from a particular network group and restrict the overall time range that even allowed users can log in:

service telnet
{
       disable         = no
       flags           = REUSE
       socket_type     = stream
       wait            = no
       user            = root
       server          = /usr/sbin/in.telnetd
       log_on_failure  += USERID
       no_access       = 10.0.1.0/24
       log_on_success  += PID HOST EXIT
       access_times    = 09:45-16:15
}

In this example, when client system from the 10.0.1.0/24 network, such as 10.0.1.2, tries access the Telnet service, it will receive a message stating the following message:

Connection closed by foreign host.

In addition, their login attempt is logged in /var/log/secure as follows:

May 15 17:38:49 boo xinetd[16252]: START: telnet pid=16256 from=10.0.1.2
May 15 17:38:49 boo xinetd[16256]: FAIL: telnet address from=10.0.1.2
May 15 17:38:49 boo xinetd[16252]: EXIT: telnet status=0 pid=16256

When using TCP wrappers in conjunction with xinetd access controls, it is important to understand the relationship between the two access control mechanisms.

The following is the order of operations followed by xinetd when client requests a connection:

  1. The xinetd daemon accesses the TCP wrappers hosts access rules through a libwrap.a library call. If a deny rule matches the client host, the connection is dropped. If an allow rule matches the client host, the connection is passed on to xinetd.

  2. The xinetd daemon checks its own access control rules both for the xinetd service and the requested service. If a deny rule matches the client host the connection is dropped. Otherwise, xinetd starts an instance of the requested service and passes control of the connection to it.

Important Important

Care should be taken when using TCP wrappers access controls in conjunction with xinetd access controls. Misconfiguration can cause undesired effects.

Binding and Redirection Options

The service configuration files for xinetd support binding the service to an IP address and redirecting incoming requests for that service to another IP address, hostname, or port.

Binding is controlled with the bind option in the service-specific configuration files and links the service to one IP address on the system. Once configured, the bind option only allows requests for the proper IP address to access the service. This way different services can be bound to different network interfaces based on need.

This is particularly useful for systems with multiple network adapters or with multiple IP addresses configured. On such a system, insecure services, like Telnet, can be configured to listen only on the interface connected to a private network and not to the interface connected with the Internet.

The redirect option accepts an IP address or hostname followed by a port number. It configures the service to redirect any requests for this service to the specified host and port number. This feature can be used to point to another port number on the same system, redirect the request to different IP address on the same machine, shift the request to a totally different system and port number, or any combination of these options. In this way, a user connecting to certain service on a system may be rerouted to another system with no disruption.

The xinetd daemon is able to accomplish this redirection by spawning a process that stays alive for the duration of the connection between the requesting client machine and the host actually providing the service, transferring data between the two systems.

But the advantages of the bind and redirect options are most clearly evident when they are used together. By binding a service to a particular IP address on a system and then redirecting requests for this service to a second machine that only the first machine can see, an internal system can be used to provide services for a totally different network. Alternatively, these options can be used to limit the exposure of a particular service on a multi-homed machine to a known IP address, as well as redirect any requests for that service to another machine specially configured for that purpose.

For example, consider a system that is used as a firewall with this setting for its Telnet service:

service telnet
{
       socket_type     = stream
       wait            = no
       server          = /usr/sbin/in.telnetd
       log_on_success      += DURATION USERID
       log_on_failure      += USERID
       bind                    = 123.123.123.123
       redirect                = 10.0.1.13 21 23
}

The bind and redirect options in this file ensures that the Telnet service on the machine is bound to the external IP address (123.123.123.123), the one facing the Internet. In addition, any requests for Telnet service sent to 123.123.123.123 are redirected via a second network adapter to an internal IP address (10.0.1.13) that only the firewall and internal systems can access. The firewall then send the communication between the two systems, and the connecting system thinks it is connected to 123.123.123.123 when it is actually connected to a different machine.

This feature is particularly useful for users with broadband connections and only one fixed IP address. When using Network Address Translation (NAT), the systems behind the gateway machine, which are using internal-only IP addresses, are not available from outside the gateway system. However, when certain services controlled by xinetd are configured with the bind and redirect options, the gateway machine can act as a type of proxy between outside systems and a particular internal machine configured to provide the service. In addition, the various xinetd access control and logging options are also available for additional protection, such as limiting the number of simultaneous connections for the redirected service.

Resource Management Options

The xinetd daemon can add a basic level of protection from a Denial of Service (DoS) attacks. Below is a list of directives which can aid in limiting the effectiveness of such attacks:

  • per_source — Defines the maximum number of instances for a service per source IP address. It accepts only integers as an argument and can be used in both xinetd.conf and in the service-specific configuration files in the xinetd.d/ directory.

  • cps — Defines the maximum of connections per second. This directive takes two integer arguments separated by white space. The first is the maximum number of connections allowed to the service per second. The second is the number of seconds xinetd must wait before re-enabling the service. It accepts only integers as an argument and can be used in both xinetd.conf and in the service-specific configuration files in the xinetd.d/ directory.

  • max_load — Defines the CPU usage threshold for a service. It accepts a floating point number argument.

There more resource management options available for xinetd. See the chapter titled Server Security in the Red Hat Linux Security Guide for more information. Also consult the xinetd.conf man page.

Posted by at No comments:

Thursday, June 11, 2009

Bash shell

Local





External










History



Commands









CommandDescription
control-RSearch Command History in Reverse (the prefered direction)



Settings




# set num lines of history kept in memory
export HISTSIZE=5000

# set num lines of history persisted in a file
export HISTFILESIZE=5000

# ?? HISTFILE


Useful Links








stderr Piping




$cmd > stdout.txt 2> stderr.txt

$cmd 2>&1 > stdoutAndErr.txt
# alternate(?) method:
$cmd > stdoutAndErr.txt 2>&1

$cmd 2>&1 | stdoutAndErr






Disable Screen Blank




# This needs to happen:
setterm -blank 0

# try putting it in /etc/bashrc





Disable Beep




# This needs to happen:
setterm -blength 0

# try putting it in /etc/bashrc





String Manipulation








OperationHow to
string length${#parameter}
substitute
${parameter//pattern/string} - all occurances

${parameter/pattern/string} - 1 time

substitutes newStr for pattern in parameter

parameter is expanded like with file name expansion (???)

if pattern starts with # it matches at the beginning of parameter only

if pattern starts with % it matches at the end of parameter only

if string is empty matches are deleted, in this case the '/' before string is optional

there are some sort of special cases with '@' and '*' either in or as parameter (? maybe works with the command line parameters in these cases ?)





Customizing



To customize bash, like adding more directories to the search path, modify ~/.bash_profile






Case Statement




COUNT=three
case $COUNT in
 1)
  echo 1
  ::
 three)
  echo it is three
  ::
 *)
  echo it is not 1 or 'three'
  ::
esac





Command stuff





TEXT_OUT=`ls`Getting the output of a command into a variableuse single back quotes





Removing Leading Chars



This removes the first char, but making a substring starting from the 2nd char 
echo ${myVar:2}






Conditional Expressions



6.4 Bash Conditional Expressions
Conditional expressions are used by the [[ compound command and the test and [ builtin commands.

Expressions may be unary or binary.
Unary expressions are often used to examine the status of a file.
There are string operators and numeric comparison operators as well.
If the file argument to one of the primaries is of the form `/dev/fd/N',
then file descriptor N is checked. If the file argument to one of the primaries is
one of `/dev/stdin', `/dev/stdout', or `/dev/stderr', file descriptor 0, 1, or 2, respectively,
is checked.


















































































































































-a file True if file exists.
-b file True if file exists and is a block special file.
-c file True if file exists and is a character special file.
-d file True if file exists and is a directory.
-e file True if file exists.
-f file True if file exists and is a regular file.
-g file True if file exists and its set-group-id bit is set.
-h file True if file exists and is a symbolic link.
-k file True if file exists and its "sticky" bit is set.
-p file True if file exists and is a named pipe (FIFO).
-r file True if file exists and is readable.
-s file True if file exists and has a size greater than zero.
-t fd True if file descriptor fd is open and refers to a terminal.
-u file True if file exists and its set-user-id bit is set.
-w file True if file exists and is writable.
-x file True if file exists and is executable.
-O file True if file exists and is owned by the effective user id.
-G file True if file exists and is owned by the effective group id.
-L file True if file exists and is a symbolic link.
-S file True if file exists and is a socket.
-N file True if file exists and has been modified since it was last read.
file1 -nt file2 True if file1 is newer (according to modification date) than file2, or if file1 exists and file2 does not.
file1 -ot file2 True if file1 is older than file2, or if file2 exists and file1 does not.
file1 -ef file2 True if file1 and file2 refer to the same device and inode numbers.
-o optname True if shell option optname is enabled. The list of options appears in the description of the `-o' option to the set builtin (see section 4.3 The Set Builtin).
-z string True if the length of string is zero.
-n string
or
string		 True if the length of string is non-zero.
string1 == string2 True if the strings are equal. `=' may be used in place of `==' for strict POSIX compliance.
string1 != string2 True if the strings are not equal.
string1 < string2 True if string1 sorts before string2 lexicographically in the current locale.
string1 > string2 True if string1 sorts after string2 lexicographically in the current locale.
arg1 OP arg2 OP is one of `-eq', `-ne', `-lt', `-le', `-gt', or `-ge'. These arithmetic binary operators return true if arg1 is equal to, not equal to, less than, less than or equal to, greater than, or greater than or equal to arg2, respectively. Arg1 and arg2 may be positive or negative integers.






Default Value, assigning



${TARGET_SYSTEM="petritis@172.16.0.176"}





For loop



# set form:
#for name [in words ...]; do commands; done
for ITEM in one two three ; do echo $ITEM ; done

for ITEM in one two three
do
 echo $ITEM
done

#output is
one
two
three

# arithmatic form:
for (( expr1 ; expr2 ; expr3 )) ; do commands ; done





Functions, user defined



[ function ] name () { command-list; }

function show() {
   echo all params $*
   local LOCALVAR=$1
   echo $LOCALVAR
  
   return 3
}





Tokenizing



# Declare an Array Variable (TOKEN):
declare -a TOKEN

# Assign the string with delimiters in it to TOKEN
TOKEN=("one two three")

# You can access the elements like this:
echo ${TOKEN[0]}
echo ${TOKEN[1]}
echo ${TOKEN[2]}

# Makes it one word (using the first delimiter in IFS as the seperator)
echo ${TOKEN[*]}

# Expands each word seperately
echo ${TOKEN[@]}






Special Symbols




















SymbolDescription
$#Number of commandline args (not including the commands name)
$1command line arg #1
$2command line arg #2
$*Expands to the positional parameters, starting from one. When the expansion occurs within double quotes, it expands to a single word with the value of each parameter separated by the first character of the IFS special variable. That is, "$*" is equivalent to "$1c$2c...", where c is the first character of the value of the IFS variable. If IFS is unset, the parameters are separated by spaces. If IFS is null, the parameters are joined without intervening separators.
$@Expands to the positional parameters, starting from one. When the expansion occurs within double quotes, each parameter expands to a separate word. That is, "$@" is equivalent to "$1" "$2" .... When there are no positional parameters, "$@" and $@ expand to nothing (i.e., they are removed).
$?Expands to the exit status of the most recently executed foreground pipeline.
$-(A hyphen.) Expands to the current option flags as specified upon invocation, by the set builtin command, or those set by the shell itself (such as the `-i' option).
$$Expands to the process ID of the shell. In a () subshell, it expands to the process ID of the invoking shell, not the subshell.
$!Expands to the process ID of the most recently executed background (asynchronous) command.
$0Expands to the name of the shell or shell script. This is set at shell initialization. If Bash is invoked with a file of commands (see section 3.8 Shell Scripts), $0 is set to the name of that file. If Bash is started with the `-c' option (see section 6.1 Invoking Bash), then $0 is set to the first argument after the string to be executed, if one is present. Otherwise, it is set to the filename used to invoke Bash, as given by argument zero.
$_(An underscore.) At shell startup, set to the absolute filename of the shell or shell script being executed as passed in the argument list. Subsequently, expands to the last argument to the previous command, after expansion. Also set to the full pathname of each command executed and placed in the environment exported to that command. When checking mail, this parameter holds the name of the mail file.








While loop



X=0
while [ $X -le 2 ]
do
   echo in loop
   sleep 10
done




If



See Conditional Expressions for more useful info.



X=one
Y=two

if [ $X = $Y ] ;
then
 echo same
else
 echo dif
fi

Y=one

if [ $X = $Y ] ; then echo same ; fi






File Existance



if [ -e $FILE ] ; then
   echo $FILE exists
fi

if [ ! -d $DIR ] ; then
   echo $DIR does NOT exist
fi






Variable Manipulation



3.5.3 Shell Parameter Expansion





The `$' character introduces parameter expansion,
command substitution, or arithmetic expansion. The parameter name
or symbol to be expanded may be enclosed in braces, which
are optional but serve to protect the variable to be expanded from
characters immediately following it which could be
interpreted as part of the name.



When braces are used, the matching ending brace is the first `}'
not escaped by a backslash or within a quoted string, and not within an
embedded arithmetic expansion, command substitution, or parameter
expansion.



The basic form of parameter expansion is ${parameter}.
The value of parameter is substituted. The braces are required
when parameter
is a positional parameter with more than one digit,
or when parameter

is followed by a character that is not to be
interpreted as part of its name.



If the first character of parameter is an exclamation point,
a level of variable indirection is introduced.
Bash uses the value of the variable formed from the rest of
parameter as the name of the variable; this variable is then
expanded and that value is used in the rest of the substitution, rather
than the value of parameter itself.
This is known as indirect expansion.
The exception to this is the expansion of ${!prefix*}

described below.



In each of the cases below, word is subject to tilde expansion,
parameter expansion, command substitution, and arithmetic expansion.



When not performing substring expansion, Bash tests for a parameter
that is unset or null; omitting the colon results in a test only for a
parameter that is unset. Put another way, if the colon is included,
the operator tests for both existence and that the value is not null;
if the colon is omitted, the operator tests only for existence.




${parameter:-word}


If parameter is unset or null, the expansion of
word is substituted. Otherwise, the value of
parameter is substituted.


${parameter:=word}


If parameter
is unset or null, the expansion of word
is assigned to parameter.
The value of parameter
is then substituted. Positional parameters and special parameters may
not be assigned to in this way.


${parameter:?word}


If parameter
is null or unset, the expansion of word (or a message
to that effect if word
is not present) is written to the standard error and the shell, if it
is not interactive, exits. Otherwise, the value of parameter is
substituted.


${parameter:+word}


If parameter
is null or unset, nothing is substituted, otherwise the expansion of
word is substituted.


${parameter:offset}

${parameter:offset:length}


Expands to up to length characters of parameter
starting at the character specified by offset.
If length is omitted, expands to the substring of
parameter starting at the character specified by offset.

length and offset are arithmetic expressions
(see section 6.5 Shell Arithmetic).
This is referred to as Substring Expansion.

length must evaluate to a number greater than or equal to zero.
If offset evaluates to a number less than zero, the value
is used as an offset from the end of the value of parameter.
If parameter is `@', the result is length positional
parameters beginning at offset.
If parameter is an array name indexed by `@' or `*',
the result is the length

members of the array beginning with ${parameter[offset]}.
Substring indexing is zero-based unless the positional parameters
are used, in which case the indexing starts at 1.


${!prefix*}

Expands to the names of variables whose names begin with prefix,
separated by the first character of the IFS special variable.


${#parameter}

The length in characters of the expanded value of parameter is
substituted.
If parameter is `*' or `@', the value substituted
is the number of positional parameters.
If parameter is an array name subscripted by `*' or `@',
the value substituted is the number of elements in the array.


${parameter#word}

${parameter##word}

The word
is expanded to produce a pattern just as in filename
expansion (see section 3.5.8 Filename Expansion). If the pattern matches
the beginning of the expanded value of parameter,
then the result of the expansion is the expanded value of parameter

with the shortest matching pattern (the `#' case) or the
longest matching pattern (the `##' case) deleted.
If parameter is `@' or `*',
the pattern removal operation is applied to each positional
parameter in turn, and the expansion is the resultant list.
If parameter is an array variable subscripted with

`@' or `*',
the pattern removal operation is applied to each member of the
array in turn, and the expansion is the resultant list.


${parameter%word}

${parameter%%word}


The word is expanded to produce a pattern just as in
filename expansion.
If the pattern matches a trailing portion of the expanded value of
parameter, then the result of the expansion is the value of
parameter with the shortest matching pattern (the `%' case)
or the longest matching pattern (the `%%' case) deleted.
If parameter is `@' or `*',
the pattern removal operation is applied to each positional
parameter in turn, and the expansion is the resultant list.
If parameter

is an array variable subscripted with `@' or `*',
the pattern removal operation is applied to each member of the
array in turn, and the expansion is the resultant list.


${parameter/pattern/string}

${parameter//pattern/string}



The pattern is expanded to produce a pattern just as in
filename expansion.
Parameter is expanded and the longest match of pattern
against its value is replaced with string.
In the first form, only the first match is replaced.
The second form causes all matches of pattern to be
replaced with string.
If pattern begins with `#', it must match at the beginning
of the expanded value of parameter.
If pattern begins with `%', it must match at the end
of the expanded value of parameter.
If string is null, matches of pattern are deleted
and the / following pattern may be omitted.
If parameter is `@' or `*',
the substitution operation is applied to each positional
parameter in turn, and the expansion is the resultant list.
If parameter

is an array variable subscripted with `@' or `*',
the substitution operation is applied to each member of the
array in turn, and the expansion is the resultant list.




Posted by at No comments:
Subscribe to: Posts (Atom)